Unit 42 — Managed Detection & Response

Cortex Pro
Managed Detection & Response

Unit 42's elite threat hunters and analysts operating 24/7 inside your XDR environment. Full multi-vector coverage — endpoint, network, cloud, and identity — not just endpoint monitoring.

24/7
Expert Monitoring
Unit 42
Elite IR Team
4 min
Avg MTTD (MITRE)
Palo Alto Managed Service — Partner Awareness Required

This is NOT a partner-delivered service. Cortex Pro is operated exclusively by Palo Alto Networks' Unit 42 team. Partners can recommend and facilitate the sale, but Palo Alto's own analysts manage all detection and response operations. Partners do not have access to the SOC operations workflow. Set expectations with customers accordingly — this is not a white-label or co-branded service that Optiv or other partners operate. The customer relationship for SOC operations is directly with Unit 42.

Overview

What is Cortex Pro (Unit 42 MDR)?

Cortex Pro is Palo Alto Networks' managed detection and response (MDR) service, delivered by Unit 42—PANW's elite threat intelligence and incident response arm. It is a service add-on that runs on top of Cortex XDR Pro per Endpoint. Customers must own XDR Pro to consume MDR.

Unit 42 analysts provide 24/7 monitoring, proactive threat hunting, and hands-on incident response using the full XDR telemetry stack. The service is enriched with Unit 42's proprietary threat intelligence derived from frontline IR engagements with hundreds of the world's largest organizations.

Two distinct Unit 42 add-ons: Managed Threat Hunting — Unit 42 hunts proactively and hands off confirmed threats to the internal team. MDR (Cortex Pro) — Unit 42 fully monitors AND responds. Higher service level, higher cost.

Service Scope

MDR Service Capabilities

What Unit 42 analysts do inside your environment — not just alerts, but active response.

24/7 Expert Monitoring
Unit 42 analysts provide continuous monitoring across all XDR data sources—endpoint, network, cloud, and identity—not just endpoint telemetry. Full SOC team coverage without building one internally.
Proactive Threat Hunting
Unit 42 hunters search for IOCs, living-off-the-land behaviors, and nation-state TTPs proactively—before alerts fire. Hunting is informed by active intelligence from global IR engagements.
Hands-On Incident Response
Unit 42 analysts actively respond to confirmed threats—containing endpoints, blocking IPs, remediating compromised accounts. Not just alerting and advising — full hands-on response included.
Frontline Intelligence Enrichment
Every detection enriched with intelligence from Unit 42's active IR engagements globally. Adversary attribution and IOC context applied in real time — not just commercial TI feeds.
Multi-Source Telemetry
Unlike most MDR services that only cover endpoints, Unit 42 MDR uses XDR Pro's full multi-source telemetry—firewall logs, cloud workloads, identity events—giving analysts wider context for more accurate detections.
Executive Reporting
Regular threat briefings, incident reports, and security posture summaries for CISO and board-level consumption. Provides the audit trail and third-party validation boards demand.

Third-Party Validation

MITRE ATT&CK Managed Services Results

Independent MITRE evaluation of MDR detection coverage and speed — 2024 Managed Services evaluation.

CrowdStrike Falcon Complete
97.7%
Detection Coverage
4 min avg MTTD
Unit 42 MDR (PANW)
Top Tier
Detection Coverage
Sub-10 min MTTR SLA
SentinelOne Vigilance
88.4%
Detection Coverage
47 min avg MTTD
MITRE differentiator: Unit 42 is one of the world's premier threat intelligence and IR teams. The intelligence feeding MDR comes from active IR engagements, not just feeds — a strong narrative for organizations facing nation-state threats.

Positioning Guide

When to Position MDR vs. DIY SOC

MDR isn't right for every customer. Use this framework to qualify when to lead with Cortex Pro vs. positioning XSIAM or co-managed options.

Lead with Cortex Pro MDR when…
  • Organization has 250–5,000 employees and no 24/7 SOC staff
  • CISO needs to show board-level 24/7 coverage without budget for a full SOC build
  • Customer has XDR Pro deployed and wants to maximize its value immediately
  • Incumbent MDR provider is tool-agnostic and not natively integrated with their stack
  • Customer recently experienced a breach and needs expert validation of posture
  • Cyber insurance requires documented 24/7 monitoring and IR retainer
  • Internal team is overwhelmed; analyst burnout is creating retention risk
Lead with XSIAM or co-managed when…
  • Large enterprise (5,000+ employees) with mature 24/7 SOC already staffed
  • Customer wants to own their SOC but needs platform modernization
  • Organization has strong SOAR/automation team and wants control over playbooks
  • Existing SIEM contract renewal is the primary driver — focus on XSIAM migration
  • Customer prefers Optiv-branded co-managed service (Optiv Tier 1 + Unit 42 Tier 2/3)
  • Regulatory constraints require local data processing or in-house SOC staff

Optiv Opportunity

XMDR Partner Program

Palo Alto Networks offers the Cortex eXtended MDR (XMDR) specialization for NextWave partners who demonstrate expertise in delivering MDR services on top of the Cortex platform. CDW and other top PANW partners hold this designation.

MDR Co-Sell

Optiv co-sells Unit 42 MDR alongside XDR Pro deployments. Optiv handles deployment and integration; PANW handles SOC operations. Clean division of ownership.

MDR Displacement

Replace incumbent MDR providers (Arctic Wolf, Secureworks, ReliaQuest) in accounts where the customer uses or is migrating to Cortex XDR. Primary Optiv services opportunity.

IR Retainer Bundling

Bundle Unit 42 MDR with a PANW IR retainer for customers who want both continuous monitoring and guaranteed IR capacity. Addresses cyber insurance requirements in a single package.

Hybrid MDR Model

For customers wanting Optiv-branded service delivery: Optiv handles Tier 1 triage; Unit 42 handles Tier 2/3 hunting and response. Optiv retains the customer relationship and billing.

Commercial Structure

Pricing & Prerequisites

Prerequisite: Customer must hold a Cortex XDR Pro per Endpoint license. MDR cannot be purchased on the Prevent tier alone.
  • Pricing model Per endpoint, per year add-on on top of XDR Pro. Custom quote; not publicly disclosed.
  • Market range MDR market typically $10–30/asset/month ($120–360/yr). Unit 42 is positioned at the premium end given the IR pedigree and intelligence quality.
  • Contract terms Multi-year commitments typically yield 15–25% discount. Minimum endpoint counts typically apply.
  • AgentiX (5.0) AI pre-triages cases and enriches context before human analysts engage, reducing MTTR further in MDR deployments.

Sales Conversations

Discovery Questions

Questions to qualify MDR opportunities and build the Unit 42 business case.

01 Do you have 24/7 SOC coverage today — internal, outsourced, or a combination? What are the gaps in overnight/weekend coverage?
02 Have you experienced analyst burnout or difficulty retaining SOC staff? How is alert volume affecting team morale?
03 Does your board or cyber insurer require documented 24/7 monitoring with a named IR partner? What's your current IR retainer situation?
04 If you're using a current MDR provider — are they native to your detection stack, or are they aggregating across multiple tools with connectors?
05 What would it mean for your security posture if your MDR team had access to network and cloud telemetry alongside endpoint data — not just EDR alerts?
06 Do you have Cortex XDR Pro deployed today? If so, who is currently monitoring it 24/7 — internal team, an MDR partner, or on-hours only?